Analysis
-
max time kernel
56s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 03:52
Static task
static1
Behavioral task
behavioral1
Sample
huorong.msi
Resource
win7-20230831-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
huorong.msi
Resource
win10v2004-20230915-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
huorong.msi
-
Size
23.2MB
-
MD5
1d3c6fa65ced640eb43db10be0d86a9e
-
SHA1
3b2bf4a8ac29132b467137532b6f22bde476dc6a
-
SHA256
32afffe939b5da15c19766da3cc587445da11b038434aa0c584dbca1ee1e8e9f
-
SHA512
4baf23f720702c9c4f0aef1c271ba51d2fc6e9a8f9e7c5d16ec1e4c90adcd1b234b84c70cb6c0dff37f85fe6d4ab97836c1399ad08038b4ac363f1c3a19f177c
-
SSDEEP
393216:Dzw0seFgtYZuNISGXEp4nodoU9JF3SZjun+9WIkpyICVEL075qp+T9GHltWllUjk:v4YuYyGXLnodoUXF+unKxjQp+T8FUnUK
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 4420 msiexec.exe Token: SeIncreaseQuotaPrivilege 4420 msiexec.exe Token: SeSecurityPrivilege 100 msiexec.exe Token: SeCreateTokenPrivilege 4420 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4420 msiexec.exe Token: SeLockMemoryPrivilege 4420 msiexec.exe Token: SeIncreaseQuotaPrivilege 4420 msiexec.exe Token: SeMachineAccountPrivilege 4420 msiexec.exe Token: SeTcbPrivilege 4420 msiexec.exe Token: SeSecurityPrivilege 4420 msiexec.exe Token: SeTakeOwnershipPrivilege 4420 msiexec.exe Token: SeLoadDriverPrivilege 4420 msiexec.exe Token: SeSystemProfilePrivilege 4420 msiexec.exe Token: SeSystemtimePrivilege 4420 msiexec.exe Token: SeProfSingleProcessPrivilege 4420 msiexec.exe Token: SeIncBasePriorityPrivilege 4420 msiexec.exe Token: SeCreatePagefilePrivilege 4420 msiexec.exe Token: SeCreatePermanentPrivilege 4420 msiexec.exe Token: SeBackupPrivilege 4420 msiexec.exe Token: SeRestorePrivilege 4420 msiexec.exe Token: SeShutdownPrivilege 4420 msiexec.exe Token: SeDebugPrivilege 4420 msiexec.exe Token: SeAuditPrivilege 4420 msiexec.exe Token: SeSystemEnvironmentPrivilege 4420 msiexec.exe Token: SeChangeNotifyPrivilege 4420 msiexec.exe Token: SeRemoteShutdownPrivilege 4420 msiexec.exe Token: SeUndockPrivilege 4420 msiexec.exe Token: SeSyncAgentPrivilege 4420 msiexec.exe Token: SeEnableDelegationPrivilege 4420 msiexec.exe Token: SeManageVolumePrivilege 4420 msiexec.exe Token: SeImpersonatePrivilege 4420 msiexec.exe Token: SeCreateGlobalPrivilege 4420 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4420 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\huorong.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4420
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:100